Interacting with Container Registries - Docker, Podman, Skopeo, IBM Container Registry, Docker Hub

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey welcome back to part four of my mini series on what exactly is a container now in this video we're focusing specifically on container registries so at first we're going to go over exactly what a container registry actually is and then we'll look at pushing and pulling images to and from container registries we'll finish up the video with a quick look at a very convenient tool called scopio where we can start to have a look at things like inspecting container images on a registry without actually having to pull them down to the local machine we can also look at copying images from remote container registries into different file formats on the local on a local system and then finally we can look at an example of using scopio to copy an image from one registry directly to another all right let's get into it so what is a container registry based on the past couple of videos you probably guessed that it's just a registry filled with container images and if you did you would be right we also know that a container image is just a tar file made up of other tar files that house file systems and also some config to piece it all together so it's just files a container registry at its core is a file server a file server serving container image files now there's more advanced and feature-rich container registries out there doing a lot more than just that we'll take a look at one in a moment but the base goal of most registries is to make it easy to discover share and collaborate on software an example of a more feature-rich container registry is the red hat registry the red hat registry does a lot more than just hosts some files here i've searched for a node.js image i found the node.js 12 image and we can see that there's a whole bunch of metadata about the image what's interesting about this is we also have this health rating now if we look into the security tab you can see that we've got kind of like a mini security report the red hat registry actually has security features like image scanning and cve tracking for any known vulnerabilities and then obviously this health index that makes it easy to identify what images are currently healthy and what images have gone bad the cool thing about this is if we had say 10 node apps out there all using this same image and then a vulnerability was discovered in any of the layers used by the image the red hat registry would be able to notify us of that vulnerability in that layer and we could easily just swap that layer out with a new image that doesn't have the vulnerability in it anymore this is pretty unique to containers imagine if you were mutating an os running in a vm for example and there was a vulnerability in one of the application binaries that you bundled with your app you'd have to go through on each machine and apply a patch so it's obviously a lot more difficult than simply changing a version number of a node.js image that you're pulling as part of your image build process now from this registry you can also get a glimpse of all the packages that are available inside the image and you can also look at the dockerfile that's used to build the image so let's start looking at interacting with some container registries okay so in the last video we focused down here on building some container images and now it's time to follow these arrows and send those container images up to the container registry let's go back to the mac okay so there's a lot of different container registries out there so how do we go about accessing them first up the default registry configured for the docker cli is actually docker.io and it's not possible to set any other registry as the default registry so if you did something like docker search nginx it's only going to give you results for the docker.io container registry this is done intentionally by docker so that there's no confusion about the images that are being pulled and run by different people on different machines so for example if it was a configurable option you might have one person's default pointing to docker.io and then another person might have their default pointing to the registry.redhat.io both of which may contain the exact same image name so in that case both people may end up with different results because they're actually using two different images from two different sources even though they entered the exact same docker command it was just their registry config that was different so even though you can't set a default you can still search pull push and all that stuff to different container registries using the docker cli you just have to be explicit and preface the container image name with the image namespace and the name of the registry that you want to action against so for example if we wanted to search the red hat registry for an nginx container now we could do something like this and then you can see the results from the red hat registry now podman and builder work just a little differently to this let's ssh into the production host and have a look so basically with podman and builder you can specify different registries to search against you just have to specify them in order in an array in the registry's config file so you can have a look at the config here and you can see here is where you have to enter the config so like i just mentioned podman and builder will use these registries in the order that are specified in this config file unless you specify a container registry explicitly so for example if we run the same podman search command you can see that all the registries that were specified in that array were searched and we have the results for all of them now obviously here you can be more specific too and get the results for just a single registry so i think it's probably just best to be as specific as possible about the registry urls whenever you can that way there's no ambiguity about what you're actually trying to do all right so now we can focus on pushing the container image from the mac up to the container registry so i can exit this and get back to the mac and the first thing we need to do is log into the container registry so just a quick look at that you might remember this from the very first video where i did a really quick push and pull so you can see in here i've just got a single namespace i don't have any repos configured yet and there's no images uploaded to this registry so i'll come back here and use the docker login command to log into the registry and there we go so that was successful so we're now logged in so we should be able to push our container image to the repo in the container registry let's first take a quick look at the images that we have available to us on the local system but you can see we also have for example the repository node where there's no container registry associated with it no namespace so in the case like that if we wanted to push the node repository up to the container registry then we would need to retag the image so just to quickly show you how to do that you can now see that we have the exact same image just retagged so that would be ready to push to our private repo as well now let's push our hello world app so there's a few components to the url first up we have the registry server now you get these details typically when you actually sign up to the registry so when i signed up to the ibm container registry it told me that the url for the sydney container registry is au.icr.io if you were sending to dockerhub that would be docker.io then we have the namespace which is pretty standard and just a way to logically group together different container repos within a registry and then we have the repo name so that's really just a collection of different versions of a container image so for example the repo hello world might house the hello world version 1 version 2 version 3 images so whenever you update your container image and push the new image to the registry you're basically adding a new entry into the repo and finally we have the tag so the tag is really just a convenient way of pointing to a specific image layer or a version rather than referencing the digest of an image so you saw those earlier those sha 256 hashes that would be it would be very hard to point to those all the time so the tag makes that a lot easier so it lets others easily reference the right layer to pull and basically as a result also pulls all the dependent layers as well so you could tell someone to pull version three of your image and they don't have to go around and try and find the correct digest to pull they can just enter version three now if you don't specify a tag then the default tag that's used is latest so that's usually used to point to the latest version of the repo that's been uploaded that's completed if we take a look at the registry now we can give that a refresh and we can see in our namespace now we have one repo and one image so you can see here it comes with the metadata from the host system we can click into the image to see some more details about it you can see up here this is actually the sha 256 hash of the image so you can see why it's a lot easier to tag your images correctly and you can see that the container registry also does some security scanning as well so we've got no issues on this particular image so again i've just shown this with the docker command line but the podband and the builder command lines have the exact same functionality so both of those tools will also let you correctly tag an image and then push the image to the container registry okay so our image is now sitting up here in the container registry so what we need to do next is we need to move over to the production host and we need to pull a copy down so that we can run it so first we can ssh into the production host let's just do a quick check of our images that are available okay so these what we used in the last video let's just make sure nothing's still running and then clear them out so there's no confusion okay still think something's associated with that so we'll just force that okay so we have no running containers and no images now we want to log into the ibm container registry okay and now we're logged in so we can just replace push with pull okay so we'll leave that there for now i'll return to that in the next video when we look deeper into what actually happens behind the scenes when we start this image and it starts running in its own isolated environment but before i wrap up this video i want to quickly show you a very handy tool for playing with container images and also interacting with container registries and that's called scopio so we've used it a little bit in the previous videos but i'm just going to go into a little bit more detail on the types of activities that it can help you with so first of all is the scopio inspect command this saves you from having to actually pull an image down onto the local machine and then using something like podman inspect to inspect the image you can inspect it directly on the remote registry using the docker protocol so you can see this went off and it inspected the nginx container image on the docker container registry and by the way this is probably a good time just to show you that tags are really just a way of pointing to a particular image identified as a digest so where we just used latest then you could actually grab this digest here substitute the tag latest with that digest and we actually need to substitute the colon for an at and you can see the same thing's actually returned so i guess this just proves that the latest keyword in this case is definitely much easier than knowing that sha-256 digest so like uh podman and docker you can also use scopio to copy images from remote registries it's not too different but with scopio you can actually be a little bit more creative about where you copy the image to so let's get a copy of nginx and store it in our local containers storage so you can see there that we now have that nginx image stored as nginx copy you can also use scopio to pull an image down directly to a local directory so instead of container storage we can actually just say der but that's in the docker format and we don't really care so much for that what we can also do is do the same thing but save it in an oci format that's the format we're more familiar with okay and for the last example i'll show you how we can move a container image from one registry to another without actually having to pull and push the image so this can be handy for promoting images between registries for example so i've logged into docker hub and now as a first step we can create a new repository i'll call this hello world prod you can see we now have this hello world prod repo we can go back to the command line so you can see here i specify the source credentials for the ibm container registry and the destination credentials for my docker registry and then the path to the hello world version 1 file in the ibm container registry followed by the path where i want to copy that image to in the docker registry now you can ignore the credentials that i've put in here as well because they will be removed by the time this video goes live to youtube and there we go we can come back to the docker registry we can give it a refresh and we now have the version one tag in the production registry now if you're anything like me you do this sort of work from your mac even though the images end up on a linux machine you need to just remember to override the architecture and the os when you're using scopio so for example if i go back to the mac and do a scopio inspect you'll see that it can't find any images and that's because it's using os darwin so what you can do is you can override the architecture which isn't really needed for me in this case but it's an option just in case you need it and you can override the os okay cool and that wraps up this video on container registries as always i hope you enjoyed it and most importantly learn something new if you did please hit the like and subscribe button so you can be notified whenever i release a new video now if you have the time make sure you stick around for my fifth and final video of this mini series it's going to be a good one it's on running containers where i take a deeper dive into technologies like run c umochi and linux namespaces and c groups alright cool thanks again and bye for now

Info

Channel: Ryan Hay

Views: 669

Rating: 5 out of 5

Keywords:

Id: F5fPkchWsFA

Channel Id: undefined

Length: 14min 46sec (886 seconds)

Published: Tue Sep 22 2020